9f2aca94590b9f367108ce3db9f0c67d35e884f1f254fb7f761e00f2c905bdcf

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PaymentAdviceNotePdf.exe
Size

534KB
MD5

6252d288d82fa00e65d3ba32bdc53411
SHA1

c9c0c3e7d495ad742c76260964810ed5f0b82cd1
SHA256

9f2aca94590b9f367108ce3db9f0c67d35e884f1f254fb7f761e00f2c905bdcf
SHA512

a95891e8802ee52688039a92d9b364369808ec3f280435d9b69d4ed8231ac09e5d49e3ca099d7838774d116ae2b3ccd0a9341abbc075dc22899f3d9752549812
SSDEEP

12288:LBbNp71fn454+U71RZfiRufiWvCwr5ym2FV0:l1fn454+kDKQ9qW5yi

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

PaymentAdviceNotePdf.exe

pid process

1976 PaymentAdviceNotePdf.exe
1976 PaymentAdviceNotePdf.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

PaymentAdviceNotePdf.exePaymentAdviceNotePdf.exe

pid process

1976 PaymentAdviceNotePdf.exe
2380 PaymentAdviceNotePdf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PaymentAdviceNotePdf.exe

description pid process target process

PID 1976 set thread context of 2380 1976 PaymentAdviceNotePdf.exe PaymentAdviceNotePdf.exe
Drops file in Windows directory 1 IoCs

Processes:

PaymentAdviceNotePdf.exe

description ioc process

File opened for modification C:\Windows\resources\0409\Mancus.phi PaymentAdviceNotePdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1976	PaymentAdviceNotePdf.exe
1976	PaymentAdviceNotePdf.exe

pid	process
1976	PaymentAdviceNotePdf.exe
2380	PaymentAdviceNotePdf.exe

description	pid	process	target process
PID 1976 set thread context of 2380	1976	PaymentAdviceNotePdf.exe	PaymentAdviceNotePdf.exe

description	ioc	process
File opened for modification	C:\Windows\resources\0409\Mancus.phi	PaymentAdviceNotePdf.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PaymentAdviceNotePdf.exePaymentAdviceNotePdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaymentAdviceNotePdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PaymentAdviceNotePdf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PaymentAdviceNotePdf.exe

pid process

1976 PaymentAdviceNotePdf.exe

pid	process
1976	PaymentAdviceNotePdf.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

PaymentAdviceNotePdf.exe

description	pid	process	target process
PID 1976 wrote to memory of 2380	1976	PaymentAdviceNotePdf.exe	PaymentAdviceNotePdf.exe
PID 1976 wrote to memory of 2380	1976	PaymentAdviceNotePdf.exe	PaymentAdviceNotePdf.exe
PID 1976 wrote to memory of 2380	1976	PaymentAdviceNotePdf.exe	PaymentAdviceNotePdf.exe
PID 1976 wrote to memory of 2380	1976	PaymentAdviceNotePdf.exe	PaymentAdviceNotePdf.exe
PID 1976 wrote to memory of 2380	1976	PaymentAdviceNotePdf.exe	PaymentAdviceNotePdf.exe
PID 1976 wrote to memory of 2380	1976	PaymentAdviceNotePdf.exe	PaymentAdviceNotePdf.exe

C:\Users\Admin\AppData\Local\Temp\PaymentAdviceNotePdf.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentAdviceNotePdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\PaymentAdviceNotePdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PaymentAdviceNotePdf.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdDBA0.tmp\System.dll

Filesize
11KB

MD5
ee260c45e97b62a5e42f17460d406068

SHA1
df35f6300a03c4d3d3bd69752574426296b78695

SHA256
e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27

SHA512
a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3

Download Submit
memory/1976-16-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1976-15-0x00000000772F1000-0x00000000773F2000-memory.dmp

Filesize
1.0MB

Download
memory/2380-17-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/2380-18-0x0000000000470000-0x00000000014D2000-memory.dmp

Filesize
16.4MB

Download